Privacy Considerations for Risk-Based Authentication Systems - Research portal of Justus Liebig University Giessen:

Conference paper

Privacy Considerations for Risk-Based Authentication Systems

Authors list: Wiefling, Stephan; Tolsdorf, Jan; Lo Iacono, Luigi

Appeared in: 2021 IEEE European Symposium on Security and Privacy workshops

Publication year: 2021

Pages: 320-327

ISBN: 978-1-6654-1013-7

eISBN: 978-1-6654-1012-0

DOI Link: https://doi.org/10.1109/EuroSPW54576.2021.00040

Conference: 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

Abstract:

Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA’s high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.

Authors/Editors

- Uni.-Prof. Dr.-Ing. Luigi Lo Iacono

Citation Styles

Harvard Citation style: Wiefling, S., Tolsdorf, J. and Lo Iacono, L. (2021) Privacy Considerations for Risk-Based Authentication Systems, in 2021 IEEE European Symposium on Security and Privacy workshops. Piscataway, NJ: IEEE. pp. 320-327. https://doi.org/10.1109/EuroSPW54576.2021.00040

APA Citation style: Wiefling, S., Tolsdorf, J., & Lo Iacono, L. (2021). Privacy Considerations for Risk-Based Authentication Systems. In 2021 IEEE European Symposium on Security and Privacy workshops. (pp. 320-327). IEEE. https://doi.org/10.1109/EuroSPW54576.2021.00040